RE: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer....

[John T (Lists)]

Just when you think we won the battle, they move the targets and change the
rules.

This is why we need people like Pete and Darrell to help us fight this ever
changing war.

A big thanks.

John T
eServices For You

"Seek, and ye shall find!"


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Friday, May 05, 2006 11:37 AM
> To: John T (Lists)
> Subject: Re[4]: [sniffer] Lot of Drugs Spam getting through sniffer
> 
> On Friday, May 5, 2006, 1:08:14 PM, John wrote:
> 
> JTL> Well, I am at the point that I could care less about geocities false
> JTL> positives. If GeoCities is going to allow this much spam junk then I
could
> JTL> care less about allowing them.
> 
> That's fine.
> 
> There are probably a number of systems that feel that way. I only
> meant to say that we've tried a "block-first" strategy w/ geocities
> before and had to remove it. YMMV.
> 
> You should also know (may remember) that the blackhats experimented a
> while ago with using several other hosting sites, including msn, and
> seeding them in round-robin fashion so that they all appeared in each
> campaign. Since this experiment stopped abruptly I doubt that it has
> been abandoned - rather, it was put on the shelf for a while. At the
> time it was clearly effective for them. I think it likely they will do
> that again (don't know when) since they are putting some new effort
> into this path. I don't have any evidence of it yet.
> 
> I discovered that on 20060503 the blackhats made some significant
> changes to their use of geocities links and their transmission
> patterns. I've re-tuned the F002 bot to compensate and it is currently
> reviewing a handful of new geocities links every minute and adding
> approximately 1.2 new rules per minute.
> 
> I suspect that the lull we observed may have had something to do with
> their "tooling up" for this set of campaigns.
> 
> _M
> 
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] When to go persistent

[Colbeck, Andrew]

Goran,

When you issue a reload you can tell that the new rulebase is being used
because the *.svr file's date and time will change to the current time.

Andrew 8)

  

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
> Sent: Friday, February 24, 2006 7:31 AM
> To: sniffer@SortMonster.com
> Subject: RE: Re[4]: [sniffer] When to go persistent
> 
> Hi,
> 
> I just got my service up and running using Matt's post 
> 
> http://www.mail-archive.com/sniffer@sortmonster.com/msg00169.html
> 
> It was simple especially since I already the resource kit installed.
> 
> Now I know that this I supposed to work to get the persistent 
> instance to load the new rulebase after a download.
> 
> REM Load new rulebase file.
> %LicenseID%.exe reload
> 
> 
> But is there any way to query the service and ask it to tell 
> you when was the last time the rulebase was loaded? Or what 
> version of the rulebase it is using? When running in peer 
> mode this question does not arise since the instances read 
> the file off disk so there is no problem.
> With the persistent instance this is not the case and I would 
> like to know that it really is using the newest rulebase.
> 
> Goran Jovanovic
> Omega Network Solutions
> 
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of Pete McNeil
> > Sent: Thursday, February 23, 2006 3:11 PM
> > To: Rick Robeson
> > Subject: Re[4]: [sniffer] When to go persistent
> > 
> > On Thursday, February 23, 2006, 1:22:53 PM, Rick wrote:
> > 
> > RR> I thought you had to run this as a service?
> > 
> > RR> Rick Robeson
> > RR> getlocalnews.com
> > RR> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
> > 
> > Strictly speaking you do not have to run it as a service, but it is 
> > more convenient to do so. If you run it from the command 
> line then you 
> > would need to remain logged in.
> > 
> > Running the persistent instance from the command line is convenient 
> > for testing, but it is much better to run it as a service in a 
> > production environment - that way it starts and stops with 
> the other 
> > services as expected, doesn't require any account to be logged in, 
> > etc...
> > 
> > _M
> > 
> > 
> > 
> > This E-Mail came from the Message Sniffer mailing list. For
> information
> > and (un)subscription instructions go to 
> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For 
> information and (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] When to go persistent

[Goran Jovanovic]

Hi,

I just got my service up and running using Matt's post 

http://www.mail-archive.com/sniffer@sortmonster.com/msg00169.html

It was simple especially since I already the resource kit installed.

Now I know that this I supposed to work to get the persistent instance
to load the new rulebase after a download.

REM Load new rulebase file.
%LicenseID%.exe reload


But is there any way to query the service and ask it to tell you when
was the last time the rulebase was loaded? Or what version of the
rulebase it is using? When running in peer mode this question does not
arise since the instances read the file off disk so there is no problem.
With the persistent instance this is not the case and I would like to
know that it really is using the newest rulebase.

Goran Jovanovic
Omega Network Solutions

 

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Pete McNeil
> Sent: Thursday, February 23, 2006 3:11 PM
> To: Rick Robeson
> Subject: Re[4]: [sniffer] When to go persistent
> 
> On Thursday, February 23, 2006, 1:22:53 PM, Rick wrote:
> 
> RR> I thought you had to run this as a service?
> 
> RR> Rick Robeson
> RR> getlocalnews.com
> RR> [EMAIL PROTECTED] 
> 
> Strictly speaking you do not have to run it as a service, but it is
> more convenient to do so. If you run it from the command line then you
> would need to remain logged in.
> 
> Running the persistent instance from the command line is convenient
> for testing, but it is much better to run it as a service in a
> production environment - that way it starts and stops with the other
> services as expected, doesn't require any account to be logged in,
> etc...
> 
> _M
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For
information
> and (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[4]: [sniffer] problems!!!!

[Darin Cox]

Perhaps I used the wrong terminology about what changed, since I do not know
what your system architecture is, but I remember you mentioning a
significant change at the time.  Immediately afterwards we saw a rash of
false positives.  That is what I would like to have controls in place to
avoid.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Darin Cox" 
Sent: Wednesday, February 08, 2006 11:46 AM
Subject: Re[4]: [sniffer] problems


On Wednesday, February 8, 2006, 11:26:46 AM, Darin wrote:

DC> There was no error in my comment.  I completely understand that some
issues
DC> will not be foreseeable... I did say "mostly", not entirely.  The switch
to
DC> the automated bots caused a rash of false positives in our system.



Actually, there is the error I was talking about -- (I'm not pointing
fingers either, just trying to set the record straight.)

The automated bots had been online and part of the system for several
years when the error occurred. There was no cut-over to announce.

DC> What I would be looking for is an announcement of a specific date/time
for a
DC> cutover so we could freeze just before that, and unfreeze once it was
clear
DC> that no glut of false positives would result.

I completely agree, and that is our policy. Before we turn on anything
important, we will announce it, as we have in the past. Even if for no
other reason than we want you to know we've done something cool... but
certainly so that we can have everyone aware and watching out for any
un-expected results (good or bad).

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[4]: [sniffer] Bad Rule - 828931

[Bonno Bloksma]

Hi,

I sort of tried something like that that as well but my cut command went 
wild. I ended up with a list of spoolfilenames (rulespool.log), without the 
D/Q, but each line ending with 0D0D0A (CRCRLF) sequence. :-( The ruleD.log 
file was ok.


grep "rulenum" snf.log > rule.log
grep "Final" rule.log > rulef.log
cut -f 3 rulef.log > ruleD.log
cut -b2- ruleD.log > rulespool.log


After some manual editing I ran a smal batchfile to move all files into the 
spam old direcory and do a manual review. I had only a few dozen hits that 
were held.


@echo off
Set SpamDir=C:\IMail\Spool\Spam
Set SpamHold=C:\IMail\Spool\Spam\Hold
For /F %%a in (rulespool.log) do (
 echo Testing %SpamDir%\D%%a
 if exist %SpamDir%\D%%a (
   echo %%a
   move %SpamDir%\D%%a %SpamHold%\
   move %SpamDir%\Q%%a %SpamHold%\
 )
)
:end


Groetjes,


Bonno Bloksma

- Original Message - 
From: "Goran Jovanovic" <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, February 08, 2006 3:10 AM
Subject: RE: Re[4]: [sniffer] Bad Rule - 828931


OK to answer my own question. Run the following commands

grep -U "Final.828931" snf.log >1.txt
cut -b26-41 1.txt >2.txt
grep -U -f2.txt d:\spool\dec0207.log >3.txt
egrep -U "\smd Tests failed|\smd Subject" 3.txt >4.txt

notepad 4.txt

Now I have to read my 4.txt and figure out what I am going to do about
it.

Goran Jovanovic
Omega Network Solutions




-Original Message-
From: [EMAIL PROTECTED]

[mailto:[EMAIL PROTECTED]

On Behalf Of Goran Jovanovic
Sent: Tuesday, February 07, 2006 8:39 PM
To: sniffer@SortMonster.com
Subject: RE: Re[4]: [sniffer] Bad Rule - 828931

I just ran the grep command on my log and I got 850 hits.

Now is there a way to take the output of the grep command and use it
pull out the total weight of corresponding message from the declude

log

file, or maybe the subject?

Goran Jovanovic
Omega Network Solutions



> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of David Sullivan
> Sent: Tuesday, February 07, 2006 7:47 PM
> To: Landry, William (MED US)
> Subject: Re[4]: [sniffer] Bad Rule - 828931
>
> Hello William,
>
> Tuesday, February 7, 2006, 7:39:05 PM, you wrote:
>
> LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log
>
> That's what I tried. Just figured out I forgot to capitalize the

"F".

> It works.
>
> Confirmed - 22,055
>
> I'm writing a program now to parse the sniffer log file, extract the
> file ID, lookup the id in sql server, determine quarantine
> location, extract q/d pair from quarantine and send to user.
>
> --
> Best regards,
>  Davidmailto:[EMAIL PROTECTED]
>
>
>
> This E-Mail came from the Message Sniffer mailing list. For
information
> and (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For

information

and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
[E-mail scanned at tio.nl for viruses by Declude Virus]


---
[E-mail scanned at tio.nl for viruses by Declude Virus]



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Bad Rule - 828931

[Colbeck, Andrew]

Goran, this is pretty much what I did to get to 
re-queuing:gawk "$0 ~ /Final\t828931/ {print 
substr($3,2,16)}"  gxamq2kt.log.20060207* >msgids.txtThe 
file msgids.txt will now contain just the GUID part of the D[guid].SMD from 
column 3 in the tab delimited Message Sniffer log files.I then used a 
batch file I had previously created called qm.cmd (for queue and move).  
Note that the folders I specify are for Declude 1.x, which has an overflow 
folder.  I use the overflow folder so that Declude will re-analyze the 
message:Rem this is the qm.cmd file 
listingmove d:\imail\spool\spam\d%1.smd u:\imail\spool\ >nulmove 
d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ >nulI 
then issued from the command line:for /F %i in (msgids.txt) do @qm.cmd 
%iThat takes of re-queuing all the held messages.  I am using a 
move instead of a copy because I want Declude to be able to move a message it 
deems spam to the spam folder.  If I used a copy, it would fail to do the 
move because the file is already in the spam folder, and Declude would then pass 
control back to Imail, which would then deliver the spam inbound.After 
my queue went back to normal, I then set to work on my dec0207.log file to 
determine if the entirety of the message was spam or ham based on whether it was 
held or not (which is the simple scenario I have).I hope that 
helps,Andrew 8)
p.s. Another re-posting in HTML so as to 
preserve the line breaks.  Sorry for the duplication, 
folks.
> -Original 
Message-> From: [EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]] On Behalf 
Of Goran Jovanovic> Sent: Tuesday, February 07, 2006 5:39 PM> To: 
sniffer@SortMonster.com> Subject: RE: Re[4]: [sniffer] Bad Rule - 
828931>> I just ran the grep command on my log and I got 850 
hits.>> Now is there a way to take the output of the grep command 
and> use it pull out the total weight of corresponding message> 
from the declude log file, or maybe the subject?>> Goran 
Jovanovic> Omega Network Solutions>> >> 
> -Original Message-> > From: 
[EMAIL PROTECTED]> [mailto:[EMAIL PROTECTED]]> 
> On Behalf Of David Sullivan> > Sent: Tuesday, February 07, 2006 
7:47 PM> > To: Landry, William (MED US)> > Subject: Re[4]: 
[sniffer] Bad Rule - 828931> >> > Hello William,> 
>> > Tuesday, February 7, 2006, 7:39:05 PM, you wrote:> 
>> > LWMU> grep -c "Final.*828931" 
c:\imail\declude\sniffer\logfile.log> >> > That's what I 
tried. Just figured out I forgot to> capitalize the "F".> > It 
works.> >> > Confirmed - 22,055> >> > 
I'm writing a program now to parse the sniffer log file,> extract 
the> > file ID, lookup the id in sql server, determine 
quarantine> location,> > extract q/d pair from quarantine and 
send to user.> >> > --> > Best regards,> 
>  
David    
mailto:[EMAIL PROTECTED]> >> 
>> >> > This E-Mail came from the Message Sniffer mailing 
list. For> information> > and (un)subscription instructions go 
to> > http://www.sortmonster.com/MessageSniffer/Help/Help.html>>> This E-Mail came from the Message Sniffer mailing 
list. For> information and (un)subscription instructions go to> 
http://www.sortmonster.com/MessageSniffer/Help/Help.html>

RE: Re[4]: [sniffer] Bad Rule - 828931

[Colbeck, Andrew]

Goran, this is pretty much what I did to get to re-queuing:

gawk "$0 ~ /Final\t828931/ {print substr($3,2,16)}"
gxamq2kt.log.20060207* >msgids.txt

The file msgids.txt will now contain just the GUID part of the
D[guid].SMD from column 3 in the tab delimited Message Sniffer log
files.

I then used a batch file I had previously created called qm.cmd (for
queue and move).  Note that the folders I specify are for Declude 1.x,
which has an overflow folder.  I use the overflow folder so that Declude
will re-analyze the message:

Rem this is the qm.cmd file listing
move d:\imail\spool\spam\d%1.smd u:\imail\spool\ >nul
move d:\imail\spool\spam\q%1.smd u:\imail\spool\overflow\ >nul

I then issued from the command line:

for /F %i in (msgids.txt) do @qm.cmd %i

That takes of re-queuing all the held messages.  I am using a move
instead of a copy because I want Declude to be able to move a message it
deems spam to the spam folder.  If I used a copy, it would fail to do
the move because the file is already in the spam folder, and Declude
would then pass control back to Imail, which would then deliver the spam
inbound.

After my queue went back to normal, I then set to work on my dec0207.log
file to determine if the entirety of the message was spam or ham based
on whether it was held or not (which is the simple scenario I have).

I hope that helps,

Andrew 8)


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Goran Jovanovic
> Sent: Tuesday, February 07, 2006 5:39 PM
> To: sniffer@SortMonster.com
> Subject: RE: Re[4]: [sniffer] Bad Rule - 828931
> 
> I just ran the grep command on my log and I got 850 hits. 
> 
> Now is there a way to take the output of the grep command and 
> use it pull out the total weight of corresponding message 
> from the declude log file, or maybe the subject?
> 
> Goran Jovanovic
> Omega Network Solutions
> 
>  
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of David Sullivan
> > Sent: Tuesday, February 07, 2006 7:47 PM
> > To: Landry, William (MED US)
> > Subject: Re[4]: [sniffer] Bad Rule - 828931
> > 
> > Hello William,
> > 
> > Tuesday, February 7, 2006, 7:39:05 PM, you wrote:
> > 
> > LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log
> > 
> > That's what I tried. Just figured out I forgot to 
> capitalize the "F".
> > It works.
> > 
> > Confirmed - 22,055
> > 
> > I'm writing a program now to parse the sniffer log file, 
> extract the 
> > file ID, lookup the id in sql server, determine quarantine 
> location, 
> > extract q/d pair from quarantine and send to user.
> > 
> > --
> > Best regards,
> >  Davidmailto:[EMAIL PROTECTED]
> > 
> > 
> > 
> > This E-Mail came from the Message Sniffer mailing list. For
> information
> > and (un)subscription instructions go to 
> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For 
> information and (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Bad Rule - 828931

[Goran Jovanovic]

OK to answer my own question. Run the following commands

grep -U "Final.828931" snf.log >1.txt
cut -b26-41 1.txt >2.txt
grep -U -f2.txt d:\spool\dec0207.log >3.txt
egrep -U "\smd Tests failed|\smd Subject" 3.txt >4.txt

notepad 4.txt

Now I have to read my 4.txt and figure out what I am going to do about
it.

Goran Jovanovic
Omega Network Solutions

 

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of Goran Jovanovic
> Sent: Tuesday, February 07, 2006 8:39 PM
> To: sniffer@SortMonster.com
> Subject: RE: Re[4]: [sniffer] Bad Rule - 828931
> 
> I just ran the grep command on my log and I got 850 hits.
> 
> Now is there a way to take the output of the grep command and use it
> pull out the total weight of corresponding message from the declude
log
> file, or maybe the subject?
> 
> Goran Jovanovic
> Omega Network Solutions
> 
> 
> 
> > -Original Message-
> > From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> > On Behalf Of David Sullivan
> > Sent: Tuesday, February 07, 2006 7:47 PM
> > To: Landry, William (MED US)
> > Subject: Re[4]: [sniffer] Bad Rule - 828931
> >
> > Hello William,
> >
> > Tuesday, February 7, 2006, 7:39:05 PM, you wrote:
> >
> > LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log
> >
> > That's what I tried. Just figured out I forgot to capitalize the
"F".
> > It works.
> >
> > Confirmed - 22,055
> >
> > I'm writing a program now to parse the sniffer log file, extract the
> > file ID, lookup the id in sql server, determine quarantine
> > location, extract q/d pair from quarantine and send to user.
> >
> > --
> > Best regards,
> >  Davidmailto:[EMAIL PROTECTED]
> >
> >
> >
> > This E-Mail came from the Message Sniffer mailing list. For
> information
> > and (un)subscription instructions go to
> > http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For
information
> and (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Bad Rule - 828931

[Goran Jovanovic]

I just ran the grep command on my log and I got 850 hits. 

Now is there a way to take the output of the grep command and use it
pull out the total weight of corresponding message from the declude log
file, or maybe the subject?

Goran Jovanovic
Omega Network Solutions

 

> -Original Message-
> From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
> On Behalf Of David Sullivan
> Sent: Tuesday, February 07, 2006 7:47 PM
> To: Landry, William (MED US)
> Subject: Re[4]: [sniffer] Bad Rule - 828931
> 
> Hello William,
> 
> Tuesday, February 7, 2006, 7:39:05 PM, you wrote:
> 
> LWMU> grep -c "Final.*828931" c:\imail\declude\sniffer\logfile.log
> 
> That's what I tried. Just figured out I forgot to capitalize the "F".
> It works.
> 
> Confirmed - 22,055
> 
> I'm writing a program now to parse the sniffer log file, extract the
> file ID, lookup the id in sql server, determine quarantine
> location, extract q/d pair from quarantine and send to user.
> 
> --
> Best regards,
>  Davidmailto:[EMAIL PROTECTED]
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For
information
> and (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Bad Rule - 828931

[John Carter]

David 

Drop the q/d files back into the \spool\proc directory.  Declude will
reprocess them.  If you put them in just the \spool, queue manager will send
them out in the next queue run, bypassing Declude. 

John

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of David Sullivan
Sent: Tuesday, February 07, 2006 7:15 PM
To: Pete McNeil
Subject: Re[4]: [sniffer] Bad Rule - 828931

Hello Pete,

Tuesday, February 7, 2006, 8:11:50 PM, you wrote:

DS>> Not sure, can anyone think of a way to cross check this? What if I 
DS>> put all the released messages back through sniffer?

PM> That would be good -- new rules were added to correctly capture the 
PM> bad stuff. I almost suggested something more complex.

That said...anyone know specifics of reprocessing messages through Declude
on Imail? I know that in 1.x Declude would drop some kind of marker so that
q/d's copied into spool would not be reprocessed but I don't remember what
it was and don't know if it works same in 3.x.

Posted question on Declude JM list but no answer so far.

--
Best regards,
 Davidmailto:[EMAIL PROTECTED]



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Last chance to renew at the old price!

[Rick Hogue]

It shows 292.50 now on the site so evidently they are taking the price up.

Rick Hogue

Intent.Net – Web Hosting

3802 Handley Avenue

Louisville, KY 40218

1-502-459-3100

1-800-866-2983 Toll Free

 

New Books Available

"Prosperity Or Better Times Ten"

"Hot Slot Secrets"

"The Incredible Inman's Louisville Trivia Challenge"


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Wednesday, December 28, 2005 9:16 PM
To: Peer-to-Peer (Support)
Subject: Re[4]: [sniffer] Last chance to renew at the old price!

The biggest concern I have about this is that the price is too low -
that is a violation. I'm sure it was unintentional, and if not, then
the contract will be pulled.

If you read closely, John T isn't on the wrong side here - he's asking
the right questions.

The price at ComputerHouse is out of line at the moment.

_M

On Wednesday, December 28, 2005, 9:00:48 PM, Peer-to-Peer wrote:

PtPS>   
PtPS>  
PtPS> You  certainly crossed a line of ethical integrity at the very  least.
PtPS>  
PtPS>  
PtPS>  
PtPS> Pete:  If you don't already have a 'non-compete' agreement in
PtPS> your reseller agreement  its time.
PtPS>  
PtPS> I  would never have believed someone would actually try to sell
PtPS> your reseller rates  to your customer base.
PtPS>  
PtPS>  
PtPS>  
PtPS> It's  simply appalling.  And should be grounds for  termination.
PtPS>  
PtPS>  
PtPS>  
PtPS>  
PtPS>  
PtPS>   
PtPS> -Original Message-
PtPS> From: [EMAIL PROTECTED]
PtPS> [mailto:[EMAIL PROTECTED]Behalf Of John T (Lists)
PtPS> Sent: Wednesday, December 28, 2005 8:46PM
PtPS> To: sniffer@SortMonster.com
PtPS> Subject: RE: Re[2]:[sniffer] Last chance to renew at the old
price!

PtPS>   
PtPS>   
PtPS> Absolutely not. Infact, if you read my post after this, I
PtPS> am questioning whether or not it canbe sold for a lower price.
PtPS>   
PtPS>  
PtPS>   
PtPS> I am not here toundermine any one, as after all where do
PtPS> you think the license that I sellcomes from?
PtPS>   
PtPS>  
PtPS>   
PtPS> After all, we areall here to help one another.
PtPS>   
PtPS>  
PtPS>   
PtPS>   
PtPS> JohnT
PtPS>   
PtPS> eServices ForYou
PtPS>   
PtPS>  
PtPS>   
PtPS>   
PtPS> -OriginalMessage-
PtPS> From: [EMAIL PROTECTED]
PtPS> [mailto:[EMAIL PROTECTED] On Behalf Of Peer-to-Peer
(Support)
PtPS> Sent:  Wednesday, December 28,2005 5:41PM
PtPS> To: sniffer@SortMonster.com
PtPS> Subject: RE: Re[2]: [sniffer] Last chanceto renew at the old
price!
PtPS>   
PtPS>  
PtPS>   
PtPS>   
PtPS> JohnT:  Did you just solicit the ENTIRE sniffer community
PtPS> with pricingthat will undermine Pete?
PtPS>   
PtPS>   
PtPS>  
PtPS>   
PtPS>   
PtPS> Never bit the handthat feeds you my friend.
PtPS>   
PtPS>   
PtPS>  
PtPS>   
PtPS>   
PtPS> -Original  Message-
PtPS> From: [EMAIL PROTECTED]
PtPS> [mailto:[EMAIL PROTECTED] Behalf Of John T (Lists)
PtPS> Sent: Wednesday,  December 28, 2005 8:17  PM
PtPS> To: sniffer@SortMonster.com
PtPS> Subject: RE: Re[2]: [sniffer] Last  chance to renew at the old
price!
PtPS>   
PtPS> Although I am a  registered reseller, I normally only sell
PtPS> hardware and software to clients  as part of my services.
PtPS>   
PtPS>  
PtPS>   
PtPS> However, if any  one is interested in a price, contact me off
list.
PtPS>   
PtPS>  
PtPS>   
PtPS>   
PtPS> John  T
PtPS>   
PtPS> eServices For  You
PtPS>   
PtPS>  
PtPS>   
PtPS>   
PtPS> -Original  Message-
PtPS> From: [EMAIL PROTECTED]
PtPS> [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
PtPS> Sent: Wednesday,  December 28, 2005 5:00  PM
PtPS> To: sniffer@SortMonster.com
PtPS> Subject: Re: Re[2]: [sniffer] Last  chance to renew at the old
price!
PtPS>   
PtPS>  
PtPS>   
PtPS> After posting this, another reseller pm  me their renewal
PtPS> rate of $269. I didn't know Sniffer had another reseller  besides
Declude.

PtPS> Anyways, for those who are interested and want to  save
PtPS> money, it's https://www.computerhouse.com/ccsecure.html  


PtPS> At 01:21 PM 12/28/2005, you wrote:
PtPS>   
PtPS> Can we renew at declude.com since their pricing is 
PtPS> $292.50? I assume their prices will increase on Jan 1, 2006  too.



PtPS> This E-Mail came from the Message Sniffer mailing list. 
PtPS> For information and (un)subscription instructions go to
PtPS> http://www.sortmonster.com/MessageSniffer/Help/Help.html



PtPS>   


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
---
[This E-mail scanned for viruses by Declude on http://www.intent.net hosted
Email]




---
[This E-mail scanned for viruses by Declude on http://www.intent.net hosted 
Email]



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http:/

RE: Re[4]: [sniffer] POP3 Account Question

[William Van Hefner]

Pete,

How about just creating some accounts that are commonly targeted by
dictionary attacks, but that were never actually valid accounts on our
server? I could redirect all of them to a common mailbox. There are also a
few other "common" (non-role) addresses that we do not use, which always get
targeted by spammers. I am thinking of sales@, info@, etc. I have
accumulated quite a list of common dictionary attack names from my logs. I
wouldn't have to seed the addresses anywhere. They get hit just by virtue of
how common they are.


William Van Hefner
Network Administrator

Vantek Communications, Inc.
555 H Street, Ste. C
Eureka, CA 95501
707.476.0833 ph



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer]

[John Hammell]

I would respectfully disagree with this view; Message Sniffer
is a very useful addition to the Anti-Spam tools in MDaemon, but 
SpamAssassin catches many thing correctly that Message Sniffer
misses, and the opposite happens as well ... we have Message
Sniffer catching things Spam Assassin can't do on its own.

Together they are very effective, but we wouldn't remove
Spam Assassin from Mdaemon, and we don't find it bogs down 
on the setups we use here, but of course that doesn't mean 
it can't happen. 

Regards,

John

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: 10 November 2005 17:36
To: Peer-to-Peer (Support)
Subject: Re[4]: [sniffer]

On Thursday, November 10, 2005, 11:45:48 AM, Peer-to-Peer wrote:

PtPS> _M,

PtPS> <<_M said>> will create a "default" installation that emits headers
and puts
PtPS> a .cf file in place for SA to interpret them.

PtPS> Not sure if this is relevant to your thought process, but we feel that
SA
PtPS> (SpamAssassin) does more harm than good.  Under moderate loads it
bogs-down
PtPS> MDaemon so we always have SA disabled.  Sniffer is by far superior in
every
PtPS> category, (accuracy, speed, dependability etc...) so there's no need
to use
PtPS> SpamAssassin.

PtPS> My point: Keep in mind that some of us use sniffer independently (not
tied
PtPS> to SA).  We're using sniffers .cfg plug-in for MD ver 8.
PtPS> I assume you will, and I probably misunderstood your post, but just
wanted
PtPS> to mention this out-loud.

Thanks for this! I think it's the first time I've heard it said out
loud from anyone involved with MDaemon. As a result I'm operating
under the assumption that folks who install SNF on MDaemon _most
likely_ have SA running and so that would be the simplest default
installation.

Is that true (do you think) or is it now more likely that SA would be
disabled?

In any case, the installer is intended for someone who just wants to
push the button and have it work. In that context, what is the best
"default install"?

All that said, once the installation is complete, a technically savvy
person could reconfigure SNF to and MDaemon to work in any way they
prefer. We're definitely not going to do anything to make that more
difficult.

Thanks,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



,
-
 St George's School for Girls, Edinburgh.
This message has been fully virus scanned by 
Alt-N AntiVirus, powered by Kaspersky Labs.
If you send attachments to us please use .rtf 
and .csv files, not .doc or .xls from MS Word 
and Excel, if at all possible.



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer]

[Dave Koontz]

Well, I think you will likely find that most organizations do use Mdaemon's
built-in SA implementation.  I have it under fairly high load and have no
problems with it.  No tool is perfect, so I use mutlipe tools.  SA gives me
a lot of flexibility in writing my own custom rules, WhiteLists, BlackLists,
etc. as well as using SURBL and URIBL lookups.  It is also nice that it
"Learns" key terminology for our Organization.

If Mdaemon hadn't of created the plugin hook to have Sniffer run inline, I
probably wouldn't have run Sniffer as a content filter rule due to the
overhead.

SA and Sniffer are both great products, and having the ability for them to
work in conjunction with each other seems a natural progression.

Just my two cents worth...  :-)

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Thursday, November 10, 2005 12:36 PM
To: Peer-to-Peer (Support)
Subject: Re[4]: [sniffer]

On Thursday, November 10, 2005, 11:45:48 AM, Peer-to-Peer wrote:

PtPS> _M,

PtPS> <<_M said>> will create a "default" installation that emits 
PtPS> headers and puts a .cf file in place for SA to interpret them.

PtPS> Not sure if this is relevant to your thought process, but we feel 
PtPS> that SA
PtPS> (SpamAssassin) does more harm than good.  Under moderate loads it 
PtPS> bogs-down MDaemon so we always have SA disabled.  Sniffer is by 
PtPS> far superior in every category, (accuracy, speed, dependability 
PtPS> etc...) so there's no need to use SpamAssassin.

PtPS> My point: Keep in mind that some of us use sniffer independently 
PtPS> (not tied to SA).  We're using sniffers .cfg plug-in for MD ver 8.
PtPS> I assume you will, and I probably misunderstood your post, but 
PtPS> just wanted to mention this out-loud.

Thanks for this! I think it's the first time I've heard it said out loud
from anyone involved with MDaemon. As a result I'm operating under the
assumption that folks who install SNF on MDaemon _most likely_ have SA
running and so that would be the simplest default installation.

Is that true (do you think) or is it now more likely that SA would be
disabled?

In any case, the installer is intended for someone who just wants to push
the button and have it work. In that context, what is the best "default
install"?

All that said, once the installation is complete, a technically savvy person
could reconfigure SNF to and MDaemon to work in any way they prefer. We're
definitely not going to do anything to make that more difficult.

Thanks,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer]

[Peer-to-Peer (Support)]

_M,

<<_M said>> Is that true (do you think) or is it now more likely that SA
would be disabled?

I have no basis, but doubt that more than 5% of MDaemon configurations have
SA disabled.  I'm certain Sniffer would far benefit in the overall picture
if you could create an installation that ties-in together with SA.

The benefit of SA in MDaemon is the fact that it's their default Spam-Filter
and unfortunately MD has built their bells and whistles around it.  For a
normal company it's almost mandatory to use.

I'm not anti-SA; I think its a fine service, we've just figured out that
it's extra baggage on our servers which serves no specific use for our needs
(just ties-up system resources).

Arvel @ Alt-N is clearly missing the boat...


Paul R


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil
Sent: Thursday, November 10, 2005 12:36 PM
To: Peer-to-Peer (Support)
Subject: Re[4]: [sniffer]


On Thursday, November 10, 2005, 11:45:48 AM, Peer-to-Peer wrote:

PtPS> _M,

PtPS> <<_M said>> will create a "default" installation that emits headers
and puts
PtPS> a .cf file in place for SA to interpret them.

PtPS> Not sure if this is relevant to your thought process, but we feel that
SA
PtPS> (SpamAssassin) does more harm than good.  Under moderate loads it
bogs-down
PtPS> MDaemon so we always have SA disabled.  Sniffer is by far superior in
every
PtPS> category, (accuracy, speed, dependability etc...) so there's no need
to use
PtPS> SpamAssassin.

PtPS> My point: Keep in mind that some of us use sniffer independently (not
tied
PtPS> to SA).  We're using sniffers .cfg plug-in for MD ver 8.
PtPS> I assume you will, and I probably misunderstood your post, but just
wanted
PtPS> to mention this out-loud.

Thanks for this! I think it's the first time I've heard it said out
loud from anyone involved with MDaemon. As a result I'm operating
under the assumption that folks who install SNF on MDaemon _most
likely_ have SA running and so that would be the simplest default
installation.

Is that true (do you think) or is it now more likely that SA would be
disabled?

In any case, the installer is intended for someone who just wants to
push the button and have it work. In that context, what is the best
"default install"?

All that said, once the installation is complete, a technically savvy
person could reconfigure SNF to and MDaemon to work in any way they
prefer. We're definitely not going to do anything to make that more
difficult.

Thanks,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer]

[Daniel Bayerdorffer]

Hi Pete,

Here is my setup.

I still have SpamAssassin running, for two reasons.

1. It allows my users to submit False Positives, False Negatives, and
Whitelisted address'. By using the built-in email address' that Mdaemon
provides for those. I then setup rules in the Mdaemon Content Filter to then
forward those to the appropriate SortMonster address'.

2. It can block obvious spam in the SMTP session before it even comes in.

I also have Spam Assassin setup to use the Message Sniffer Results.

As far as my updating of the Rule Base. I setup a Content Filter Rule to
scan incoming mail for the Update Notification. Listed Below.

[Rule007]
RuleName=Update Message Sniffer Rules
Enable=Yes
ThisRuleCondition=All
ProcessQueue=BOTH
Condition01=SUBJECT|contains|AND|vXXX.snf Update|
Action01=run a program|"-1,0,1","cmd.exe /C
C:\MDaemon\MessageSniffer\snfupd.cmd"
Action02=stop processing| 

The snfupd.cmd is setup pretty much like the example you include with the
plugin

I setup two Content Filter rules to forward the False Positive and False
Negatives to Sort Monster. Listed Below

[Rule001]
RuleName=Forward Ham Learn to Message Sniffer
Enable=Yes
ThisRuleCondition=All
ProcessQueue=BOTH
Condition01=TO|contains|AND|[EMAIL PROTECTED]|
Action01=remove header|"Subject",""
Action02=add header|"Subject","False Positive Report - license vXXX"
Action03=remove header|"From",""
Action04=add header|"From","[EMAIL PROTECTED]"
Action05=copy to|"[EMAIL PROTECTED]"
Action06=stop processing|

[Rule002]
RuleName=Forward Spam Learn to Message Sniffer
Enable=Yes
ThisRuleCondition=All
ProcessQueue=BOTH
Condition01=TO|contains|AND|[EMAIL PROTECTED]|
Action01=remove header|"From",""
Action02=add header|"From","[EMAIL PROTECTED]"
Action03=copy to|"[EMAIL PROTECTED]"
Action04=stop processing|


HTH,
Daniel



> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
> Sent: Thursday, November 10, 2005 12:36 PM
> To: Peer-to-Peer (Support)
> Subject: Re[4]: [sniffer]
> 
> On Thursday, November 10, 2005, 11:45:48 AM, Peer-to-Peer wrote:
> 
> PtPS> _M,
> 
> PtPS> <<_M said>> will create a "default" installation that 
> emits headers and puts
> PtPS> a .cf file in place for SA to interpret them.
> 
> PtPS> Not sure if this is relevant to your thought process, 
> but we feel that SA
> PtPS> (SpamAssassin) does more harm than good.  Under 
> moderate loads it bogs-down
> PtPS> MDaemon so we always have SA disabled.  Sniffer is by 
> far superior in every
> PtPS> category, (accuracy, speed, dependability etc...) so 
> there's no need to use
> PtPS> SpamAssassin.
> 
> PtPS> My point: Keep in mind that some of us use sniffer 
> independently (not tied
> PtPS> to SA).  We're using sniffers .cfg plug-in for MD ver 8.
> PtPS> I assume you will, and I probably misunderstood your 
> post, but just wanted
> PtPS> to mention this out-loud.
> 
> Thanks for this! I think it's the first time I've heard it said out
> loud from anyone involved with MDaemon. As a result I'm operating
> under the assumption that folks who install SNF on MDaemon _most
> likely_ have SA running and so that would be the simplest default
> installation.
> 
> Is that true (do you think) or is it now more likely that SA would be
> disabled?
> 
> In any case, the installer is intended for someone who just wants to
> push the button and have it work. In that context, what is the best
> "default install"?
> 
> All that said, once the installation is complete, a technically savvy
> person could reconfigure SNF to and MDaemon to work in any way they
> prefer. We're definitely not going to do anything to make that more
> difficult.
> 
> Thanks,
> 
> _M
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For 
> information and (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer]

[Jim Matuska Jr.]

We are running Sniffer with the Mdaemon plug-in and SA and it seems to work
great for us, much better than our previous Imail/Declude sniffer
combination.  

Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]

 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Thursday, November 10, 2005 9:36 AM
To: Peer-to-Peer (Support)
Subject: Re[4]: [sniffer]

On Thursday, November 10, 2005, 11:45:48 AM, Peer-to-Peer wrote:

PtPS> _M,

PtPS> <<_M said>> will create a "default" installation that emits headers
and puts
PtPS> a .cf file in place for SA to interpret them.

PtPS> Not sure if this is relevant to your thought process, but we feel that
SA
PtPS> (SpamAssassin) does more harm than good.  Under moderate loads it
bogs-down
PtPS> MDaemon so we always have SA disabled.  Sniffer is by far superior in
every
PtPS> category, (accuracy, speed, dependability etc...) so there's no need
to use
PtPS> SpamAssassin.

PtPS> My point: Keep in mind that some of us use sniffer independently (not
tied
PtPS> to SA).  We're using sniffers .cfg plug-in for MD ver 8.
PtPS> I assume you will, and I probably misunderstood your post, but just
wanted
PtPS> to mention this out-loud.

Thanks for this! I think it's the first time I've heard it said out
loud from anyone involved with MDaemon. As a result I'm operating
under the assumption that folks who install SNF on MDaemon _most
likely_ have SA running and so that would be the simplest default
installation.

Is that true (do you think) or is it now more likely that SA would be
disabled?

In any case, the installer is intended for someone who just wants to
push the button and have it work. In that context, what is the best
"default install"?

All that said, once the installation is complete, a technically savvy
person could reconfigure SNF to and MDaemon to work in any way they
prefer. We're definitely not going to do anything to make that more
difficult.

Thanks,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Rash of false positives

[John Moore]

We have not  run snf2check on the updates. And
it may be a coincidence or bad timing that sniffer
appears to be the culprit. But we have stopped sniffer
(commented out in the declude global.cfg)
for an observed period of time and the mail never stops (and had never stopped
before sniffer) and conversely, it only stops when sniffer is running.

We have not gone the extra steps of
putting sniffer in persistent mode.

We are looking at moving the imail/declude/sniffer setup to a newer box with more
resources.

Currently on a dell 2450 dual 833 and 1
gig of ram and raid 5. Volume of email is less than 10,000 emails per day.

J

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Darin Cox
Sent: Wednesday, November 09, 2005
1:47 PM
To: sniffer@SortMonster.com
Subject: Re: Re[4]: [sniffer] Rash
of false positives



 



Are corrupted
rulebase files the culprit?   How do you update... and do you run
snf2check on the updates?





 





Just wondering if
the rulebase file is the problem, if the problem occurs during the
update, or if you are running into obscure errors with the EXE itself






Darin.





 





 





- Original
Message - 



From: John Moore 





To: sniffer@SortMonster.com






Sent: Wednesday,
November 09, 2005 12:42 PM





Subject: RE: Re[4]:
[sniffer] Rash of false positives







 



We had this same thing happen.

It has been happening more frequently
recently and we are looking into disabling sniffer as it seems to be the
culprit each time.

John Moore
305 Spin

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Richard Farris
Sent: Wednesday, November 09, 2005
11:38 AM
To: sniffer@SortMonster.com
Subject: Re: Re[4]: [sniffer] Rash
of false positives



 



This morning my server quit sending mail and my tech said the Dr.
Watson error on the server was my Sniffer file...I rebooted and thought it was
OK but quit again..I had a lot of mail back logged...so I updated a new rule
base but it did not seem to helpI reinstalled Imail and things seem OK but
slow since there is such a back log of mailIf things don't get back to
normal I will be back..






Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support
"Crossroads to a Cleaner Internet"







- Original Message - 





From: Pete
McNeil 





To: Darin Cox






Sent:
Tuesday, November 08, 2005 3:03 PM





Subject: Re[4]: [sniffer] Rash of false positives





 



On Tuesday, November 8, 2005, 3:25:20
PM, Darin wrote:

 




 
  
  > 
  
  
  Hi Pete,
   
  There was a consistent stream of false
  positives over the mentioned time period, not just a blast at a particular
  time.  They suddenly started at 5pm (shortly after a 4:30pm rulesbase
  update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am today
  (not many legitimate emails came in between 11pm and 6am)...spanning 4 other
  rulebase updates at 8:40pm, 12am, 3am, and 6:20am.  There were a number
  of different rules involved, and over 45 false positives in that time period.
  
 




 

This is highly unusual -- I didn't
remove many rules, and normally only one or two would be responsible. If you
found that a large number of rules were responsible then something else happend
and we need to look at that... I'd need to see your SNF logs from that period
since the changes (removals anyway) in the rulebase were very small and
unrelated - that just doesn't line up with your description.

 

One thing does-- in the past if
snf2check was not used to check a new download then a corrupted rulebase could
cause SNF to produce erratic results... since snf2check has been in place we
have not seen this. Is it possible that a bad rulebase file got pressed into
service on your system? -- probably a look at the logs would help there too
since this kind of failure is accompanied by very specific oddities in the
logs.

 

Hope this helps,

 

_M

 

This E-Mail came from the Message Sniffer mailing list. For
information and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html 

Re: Re[4]: [sniffer] Rash of false positives

[Darin Cox]

Are corrupted rulebase files the 
culprit?   How do you update... and do you run snf2check on the 
updates?
 
Just wondering if the rulebase file is 
the problem, if the problem occurs during the update, or if you are 
running into obscure errors with the EXE itself
Darin.
 
 
- Original Message - 
From: John Moore 
To: sniffer@SortMonster.com 
Sent: Wednesday, November 09, 2005 12:42 PM
Subject: RE: Re[4]: [sniffer] Rash of false positives


We had this same thing 
happen.
It has been happening 
more frequently recently and we are looking into disabling sniffer as it seems to be the culprit each 
time.
John Moore305 
Spin
 




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On 
Behalf Of Richard FarrisSent: Wednesday, November 09, 2005 11:38 
AMTo: 
sniffer@SortMonster.comSubject: Re: Re[4]: [sniffer] Rash of false 
positives
 

This 
morning my server quit sending mail and my tech said the Dr. Watson error on the 
server was my Sniffer file...I rebooted and thought it was OK but quit again..I 
had a lot of mail back logged...so I updated a new rule base but it did not seem 
to helpI reinstalled Imail and things seem OK but slow since there is such a 
back log of mailIf things don't get back to normal I will be 
back..

Richard 
FarrisEthixs Online1.270.247. Office1.800.548.3877 Tech 
Support"Crossroads to a Cleaner Internet"

  
  - 
  Original Message - 
  
  From: Pete 
  McNeil 
  
  To: Darin 
  Cox 
  
  Sent: Tuesday, November 
  08, 2005 3:03 PM
  
  Subject: Re[4]: [sniffer] 
  Rash of false positives
  
   
  On Tuesday, 
  November 8, 2005, 3:25:20 PM, Darin wrote:
   
  
  


> 
  
Hi Pete,
 
There was a consistent stream of 
false positives over the mentioned time period, not just a blast at a 
particular time.  They suddenly started at 5pm (shortly after a 
4:30pm rulesbase update), and were fairly evenly spread from 5pm - 11pm 
and 6am - 10am today (not many legitimate emails came in between 11pm 
and 6am)...spanning 4 other rulebase updates at 8:40pm, 12am, 3am, and 
6:20am.  There were a number of different rules involved, and over 
45 false positives in that time period.
   
  This is 
  highly unusual -- I didn't remove many rules, and normally only one or two 
  would be responsible. If you found that a large number of rules were 
  responsible then something else happend and we need to look at that... I'd 
  need to see your SNF logs from that period since the changes (removals anyway) 
  in the rulebase were very small and unrelated - that just doesn't line up with 
  your description.
   
  One thing 
  does-- in the past if snf2check was not used to check a new download then a 
  corrupted rulebase could cause SNF to produce erratic results... since 
  snf2check has been in place we have not seen this. Is it possible that a bad 
  rulebase file got pressed into service on your system? -- probably a look at 
  the logs would help there too since this kind of failure is accompanied by 
  very specific oddities in the logs.
   
  Hope this 
  helps,
   
  _M
   
  This E-Mail 
  came from the Message Sniffer mailing list. For information and 
  (un)subscription instructions go to 
  http://www.sortmonster.com/MessageSniffer/Help/Help.html 
  

RE: Re[4]: [sniffer] Rash of false positives

[John Moore]

We had this same thing happen.

It has been happening more frequently
recently and we are looking into disabling sniffer as
it seems to be the culprit each time.

John Moore
305 Spin

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris
Sent: Wednesday, November 09, 2005
11:38 AM
To: sniffer@SortMonster.com
Subject: Re: Re[4]: [sniffer] Rash
of false positives



 



This morning my server quit sending mail and my tech said the Dr.
Watson error on the server was my Sniffer file...I rebooted and thought it was
OK but quit again..I had a lot of mail back logged...so I updated a new rule
base but it did not seem to helpI reinstalled Imail and things seem OK but
slow since there is such a back log of mailIf things don't get back to
normal I will be back..






Richard Farris
Ethixs Online
1.270.247. Office
1.800.548.3877 Tech Support
"Crossroads to a Cleaner Internet"







- Original Message - 





From: Pete
McNeil 





To: Darin Cox






Sent:
Tuesday, November 08, 2005 3:03 PM





Subject: Re[4]: [sniffer] Rash of false positives





 



On Tuesday, November 8, 2005, 3:25:20
PM, Darin wrote:

 




 
  
  > 
  
  
  Hi Pete,
   
  There was a consistent stream of false
  positives over the mentioned time period, not just a blast at a particular
  time.  They suddenly started at 5pm (shortly after a 4:30pm rulesbase
  update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am today
  (not many legitimate emails came in between 11pm and 6am)...spanning 4 other
  rulebase updates at 8:40pm, 12am, 3am, and 6:20am.  There were a number
  of different rules involved, and over 45 false positives in that time period.
  
 




 

This is highly unusual -- I didn't
remove many rules, and normally only one or two would be responsible. If you
found that a large number of rules were responsible then something else happend
and we need to look at that... I'd need to see your SNF logs from that period
since the changes (removals anyway) in the rulebase were very small and
unrelated - that just doesn't line up with your description.

 

One thing does-- in the past if
snf2check was not used to check a new download then a corrupted rulebase could
cause SNF to produce erratic results... since snf2check has been in place we
have not seen this. Is it possible that a bad rulebase file got pressed into
service on your system? -- probably a look at the logs would help there too
since this kind of failure is accompanied by very specific oddities in the
logs.

 

Hope this helps,

 

_M

 

This E-Mail came from the Message Sniffer mailing list. For
information and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html 

Re: Re[4]: [sniffer] Rash of false positives

[Richard Farris]

This morning my server quit sending mail and my 
tech said the Dr. Watson error on the server was my Sniffer file...I rebooted 
and thought it was OK but quit again..I had a lot of mail back logged...so I 
updated a new rule base but it did not seem to helpI reinstalled Imail and 
things seem OK but slow since there is such a back log of mailIf things 
don't get back to normal I will be back..
Richard FarrisEthixs Online1.270.247. 
Office1.800.548.3877 Tech Support"Crossroads to a Cleaner 
Internet"

  - Original Message - 
  From: 
  Pete McNeil 
  To: Darin Cox 
  Sent: Tuesday, November 08, 2005 3:03 
  PM
  Subject: Re[4]: [sniffer] Rash of false 
  positives
  
  On Tuesday, November 8, 2005, 3:25:20 PM, Darin wrote:
  
  
  


  
>
  
Hi Pete,
 
There was a consistent stream of false positives 
over the mentioned time period, not just a blast at a particular time. 
 They suddenly started at 5pm (shortly after a 4:30pm rulesbase 
update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am 
today (not many legitimate emails came in between 11pm and 
6am)...spanning 4 other rulebase updates at 8:40pm, 12am, 3am, and 
6:20am.  There were a number of different rules involved, and over 
45 false positives in that time 
  period.
  
  This is highly unusual -- I didn't remove many rules, and normally only one 
  or two would be responsible. If you found that a large number of rules were 
  responsible then something else happend and we need to look at that... I'd 
  need to see your SNF logs from that period since the changes (removals anyway) 
  in the rulebase were very small and unrelated - that just doesn't line up with 
  your description.
  
  One thing does-- in the past if snf2check was not used to check a new 
  download then a corrupted rulebase could cause SNF to produce erratic 
  results... since snf2check has been in place we have not seen this. Is it 
  possible that a bad rulebase file got pressed into service on your system? -- 
  probably a look at the logs would help there too since this kind of failure is 
  accompanied by very specific oddities in the logs.
  
  Hope this helps,
  
  _M
  This E-Mail came from the Message Sniffer mailing list. For 
  information and (un)subscription instructions go to 
  http://www.sortmonster.com/MessageSniffer/Help/Help.html 

Re: Re[4]: [sniffer] Rash of false positives

[Darin Cox]

Hi Pete,
 
I'll send the logs for the past two days separately 
to support (at).  We do run snf2check on every downloaded rulebase, so that 
shouldn't be an issue.
 
The one thing I didn't think to do was to revert to 
an old rulebase, but we only keep the previous, so it would have already been 
too late when we saw the problem this morning.
 
Thanks,
Darin.
 
 
- Original Message - 
From: Pete 
McNeil 
To: Darin Cox 
Sent: Tuesday, November 08, 2005 4:03 PM
Subject: Re[4]: [sniffer] Rash of false positives

On Tuesday, November 8, 2005, 3:25:20 PM, Darin wrote:



  
  

  >

  Hi Pete,
   
  There was a consistent stream of false positives over 
  the mentioned time period, not just a blast at a particular time. 
   They suddenly started at 5pm (shortly after a 4:30pm rulesbase 
  update), and were fairly evenly spread from 5pm - 11pm and 6am - 10am 
  today (not many legitimate emails came in between 11pm and 6am)...spanning 
  4 other rulebase updates at 8:40pm, 12am, 3am, and 6:20am.  There 
  were a number of different rules involved, and over 45 false positives in 
  that time period.

This is highly unusual -- I didn't remove many rules, and normally only one 
or two would be responsible. If you found that a large number of rules were 
responsible then something else happend and we need to look at that... I'd need 
to see your SNF logs from that period since the changes (removals anyway) in the 
rulebase were very small and unrelated - that just doesn't line up with your 
description.

One thing does-- in the past if snf2check was not used to check a new 
download then a corrupted rulebase could cause SNF to produce erratic results... 
since snf2check has been in place we have not seen this. Is it possible that a 
bad rulebase file got pressed into service on your system? -- probably a look at 
the logs would help there too since this kind of failure is accompanied by very 
specific oddities in the logs.

Hope this helps,

_M
This E-Mail came from the Message Sniffer mailing list. For 
information and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html 

RE: Re[4]: [sniffer] Large amounts of spam still getting through

[Rick Hogue]

Thanks Pete, I do not remember getting an update notification but that would
definitely explain why we are getting go much spam now.

Rick Hogue

Intent.Net - Web Hosting

3802 Handley Avenue

Louisville, KY 40218

1-502-459-3100

1-800-866-2983 Toll Free

 

New Books Available

"Prosperity Or Better Times Ten"

"Hot Slot Secrets"

"The Incredible Inman's Louisville Trivia Challenge"


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Saturday, October 15, 2005 2:10 PM
To: Rick Hogue
Subject: Re[4]: [sniffer] Large amounts of spam still getting through

On Saturday, October 15, 2005, 12:33:47 PM, Rick wrote:

RH> My only concern is that all of this was being caught by Sniffer before
and
RH> all of a sudden very little of it is being caught. We are told that they
are
RH> working on it to get it fixed but we are getting slammed by customers
RH> telling us we are not catching any spam.

RH> Any help in a solution other than greylisting would be really
appreciated.

Rick,

I checked your license by your domain and found that it has expired.

We will have sent you a renewal notice in the first week of Semptember
and we did not get a response.

Pleaes send a note to [EMAIL PROTECTED] and we will send you an
invoice you can pay online to renew.

Updates for your account have been off since 20051005.

Hope this helps,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
---
[This E-mail scanned for viruses by Declude on http://www.intent.net hosted
Email]


---
[This E-mail scanned for viruses by Declude on http://www.intent.net hosted 
Email]


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[4]: [sniffer] POP Approach

[Darin Cox]

Hi Pete,

Do you send out notices to licensees to let them know to renew ahead of
time?

I think we're getting close to renewal, and want to make sure we don't
lapse.

Darin.


- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Rick Hogue" 
Cc: <[EMAIL PROTECTED]>
Sent: Friday, October 14, 2005 11:03 AM
Subject: Re[4]: [sniffer] POP Approach


On Friday, October 14, 2005, 9:39:33 AM, Rick wrote:

RH> What is going on with the sniffer not catching any of the spam that is
now
RH> coming through? We are getting slammed with medication, mortgage and
other
RH> junk email?

Your license has expired.

Please send a note to [EMAIL PROTECTED] to renew. We will send
you an invoice you can pay online.

Thanks,

_M



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] can auto-forward be disabled when spam is detected?

[Craig Deal]

> You  don't  think  having  a  'Spam'  subfolder is less complex than a
totally separate account?

The "complexity" I referred to, was from the admin/setup point of view. I
think manually creating a forwarding file for each user, that will not show
up on the UI, would be more complex than having one domain rule that
forwards to [EMAIL PROTECTED](visible from the UI). Would I prefer to have a
spam sub-folder for each user? Sure. If IPSwitch had mentioned this option
in the manual, I would have set it up that way at the start. All I was
trying to point out is that you could work around the Imail processing order
by setting up rules to forward spam to another email address.

> Doubt a webmail user would agree with that.

My users are not webmail users. They simply want "good" email's delivered to
their Exchange/Outlook Inbox. Since FP's are almost non-existent with
Sniffer, they rarely (if ever) check the [EMAIL PROTECTED] account as it is.

Craig


> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Sanford Whiteman
> Sent: Friday, September 02, 2005 2:17 PM
> To: Craig Deal
> Subject: Re[4]: [sniffer] can auto-forward be disabled when 
> spam is detected?
> 
> > I'm  not  sure  how  this solution is any less complex. . .
> 
> You  don't  think  having  a  'Spam'  subfolder is less 
> complex than a totally separate account? Doubt a webmail user 
> would agree with that.
> 
> --Sandy
> 
> 
> 
> Sanford Whiteman, Chief Technologist
> Broadleaf Systems, a division of
> Cypress Integrated Systems, Inc.
> e-mail: [EMAIL PROTECTED]
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For 
> information and (un)subscription instructions go to 
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
> 


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] can auto-forward be disabled when spam is detected?

[Rick Robeson]

Really! so simply renaming the forward.ima to main.fwd accomplishes what
he's talking about?
Where is that documented in the Imail system?

Is that feature reflected/available in the windows Imail admin interfaces?



Rick Robeson
getlocalnews.com
[EMAIL PROTECTED] 



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Sanford Whiteman
Sent: Friday, September 02, 2005 12:19 PM
To: Rick Robeson
Subject: Re[4]: [sniffer] can auto-forward be disabled when spam is
detected?


> I'm afraid I'm not that up on my email standards.

They're not standards in the RFC sense, just IMail features.

> What  exactly  does  forwarding  by  main.fwd  do  and  how does one
> implement that type of solution?

Create  .fwd using the same format as forward.ima and the
forwarding  actions will only apply to messages slated to be delivered
to that mailbox.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]



This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] New Spam/Virus?

[John W. Enyart]

Thanks Pete.

John

-
John W. Enyart
EAI, Inc.
3259 Blackberry Lane
Malvern, PA 19355-9670
610/935/3085  FAX 610.935.3086
[EMAIL PROTECTED]

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Monday, June 06, 2005 6:22 PM
To: Jim Matuska
Subject: Re[4]: [sniffer] New Spam/Virus?

One rule (369660) will code to 53 (scams).

Another (369650) will code to 53 (scams).

Another (369634) also codes to 53 (scams).

The rules got the scam tag because it presents like a phishing scam.

I'll be watching for evidence of additional polymorphism and we will adapt.
Now that we know this has a virus attached, new rules may be coded to
malware.

_M


On Monday, June 6, 2005, 6:01:17 PM, Jim wrote:

JM> Thanks Pete,
JM> What Return code will this be under?

JM> Jim Matuska Jr.
JM> Computer Tech2, CCNA
JM> Nez Perce Tribe
JM> Information Systems
JM> [EMAIL PROTECTED]
JM> - Original Message -
JM> From: "Pete McNeil" <[EMAIL PROTECTED]>
JM> To: "Dave Koontz" 
JM> Sent: Monday, June 06, 2005 3:00 PM
JM> Subject: Re[2]: [sniffer] New Spam/Virus?


>> On Monday, June 6, 2005, 5:50:38 PM, Dave wrote:
>>
>> DK> Same exact IP  here!
>>
>> We've got a couple of rules for this now -- making the rounds as new
>> compiles go out.
>>
>> _M
>>
>>
>>
>> This E-Mail came from the Message Sniffer mailing list. For information
>> and (un)subscription instructions go to 
>> http://www.sortmonster.com/MessageSniffer/Help/Help.html
>> 


JM> This E-Mail came from the Message Sniffer mailing list. For
JM> information and (un)subscription instructions go to
JM> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
---
[Scanned for viruses by the ESPAN WebCenter]





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo

[Jim Matuska]

I meant do I configure actions based on the headers that sniffer returns 
like in the non plug in version, or does the plugin do this automatically, 
the documentation for the plug in is kind of vague in comparison to the 
older version.

Jim Matuska Jr.
Computer Tech2, CCNA
Nez Perce Tribe
Information Systems
[EMAIL PROTECTED]
- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Jim Matuska" 
Sent: Wednesday, April 20, 2005 1:51 PM
Subject: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & 
Promo


On Wednesday, April 20, 2005, 4:19:48 PM, Jim wrote:
JM> Do you configure rules similar to in the previous versions, or by 
using this
JM> as a plug in is there a GUI for configuration.

We configure the rulebase the same way we have in the past. Using the
plugin is not different from using the command line utility except
that the performance is better (faster) and the installation and
operation is simpler. The "service/subscription" part of Message
Sniffer has not changed.
---
We have a GUI web app for the rulebase (we use it every day), however
we have discovered through trial and error that a lot of specialized
training is required to keep the rulebase working correctly and that
one GUI does not suit many users... each group seems to need their
own!
We are working on plans for some simpler web apps in the future to
handle specialized tasks, however that too seems best handled in other
ways for the time being. For example, every system that provides
automation to their users for false positive handling and custom
black-rules seems to do it in their own special way --- so rather than
build a web app that doesn't really suit anyone we have adopted the
strategy of providing automation tools (such as our XML based REmost
SCripted Updater [RESCU] utility) and consulting to integrate each
customer's existing or planned automation efforts with their back-end
rulebase configuration. These efforts are usually reserved for larger
systems such as small ISPs and filtering service providers.
As always we want to support any third party efforts to provide
automation tools also. So far we haven't seen much in the way of GUI
automation, probably for the same reasons we haven't tackled it yet.
I think I may have answered more than the base question here - but I'm
hoping I've addressed some of the underlying questions.
_M

This E-Mail came from the Message Sniffer mailing list. For information 
and (un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and (un)subscription instructions go to http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta & Promo

[Peer-to-Peer (Support)]

Tip for MDaemon plug-in users.

Sniffers .cfg file has an option 'not' to scan files larger than 'X'.  If
this option is set than no sniffer headers will be placed into the message
(if the message is larger than 'X').

Beware, if you use MD's Content Filter to instruct where to send messages
based on sniffer's 'results' as there will be no results if the file is
never scanned ;)


Paul R


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Pete McNeil
Sent: Wednesday, April 20, 2005 3:30 PM
To: Jim Matuska
Subject: Re[4]: [sniffer] Message Sniffer Plugin for MDaemon Wide Beta &
Promo


On Wednesday, April 20, 2005, 2:30:25 PM, Jim wrote:

JM> Pete,
JM> Is there a difference between the normal .snf files I have been
downloading
JM> and the one for the plugin?  I have setup my script to download the .snf
JM> file and noticed it is a couple mb's smaller than the included demo .snf
JM> file.

There is no significant difference. The mdaemon1 file contains some
extra rules, but these are not normally needed in production. During
the test we wanted to make sure we used the largest valid rulebase
file we generate. After the test it will be best to use normal
rulebase files.

_M




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html





This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Persistent Sniffer

[Keith Johnson]

Pete,
Wow, thank you for the explanation.  I did let the persistent
server run for 30 min after I restarted the services.  However, I did
stop the services, then started Sniffer service, then restart Imail
services.  I could have gotten a backlog of retries at that moment that
pegged the CPU as you stated.  We have batted around running BIND for
NT/2000 on the local machine, but my fear was overhead of another major
process running.  I don't have any good stats on how much CPU/Memory
BIND on an Imail Server requires, thus, we have a SUN/BIND box local to
the switch.  Are you aware of any stats on this?

We don't run the AVAFTERJM switch.  This is done in part due to
so many of our customers still look at their spam email from time to
time.  We heavily use the ROUTETO and MAILBOX command, thus, if I let a
virus go through to their to mailbox, they could potentially open a
virus spam email and hurt themselves.  

We defrag each partition every night using Diskeeper and it
works great.  I regularly look at the Sniffer directory to ensure no
left over .fin files and others that could cause server load.  I will
retry it again tonight and see what type of results I get and post them
here.  It could be as you say, I am on the far side :)

Thanks again,

Keith 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Friday, April 01, 2005 2:16 PM
To: Keith Johnson
Subject: Re[4]: [sniffer] Persistent Sniffer

On Friday, April 1, 2005, 11:44:07 AM, Keith wrote:

KJ> Pete,
KJ> Thanks for the reply.  

KJ> Running on an IBM Xseries 225 Dual Xeon 2.4Ghz w/ 1GB RAM - 
KJ> running IBM's ServerRAID 5i in IBM's RAID 10 config (4 73GB 10K 
KJ> drives)
KJ> - O/S is Windows 2000 Standard Server SP4

KJ> Running Imail 8.15HF1 with Declude JM/Virus 1.82 - BIND DNS 
KJ> Server is 1 hop away (on switch backbone).  I had to drop back to 
KJ> the non-persistent mode, thus the .stat file disappeared.  I will 
KJ> run it again tonight and copy the file away and post it here
tonight.

KJ> Thanks again for the time and aid.

I don't see any problems with this setup.

Your description sounds like your server is fairly heavily loaded
(35-55% cpu in peer-server mode), though I would expect more from the
hardware you've described.

I suspect that you may have run into the far side of the power curve
when you went to persistent server mode. In peer-server mode the failure
mode for overload conditions is much softer than with the persistent
peer server mode.

Up to the failure point in the power curve the persistent server mode
will provide a significant savings over peer-server, however once that
point is reached the persistent server mode tends to degrade much more
quickly and requires a significant drop in load before recovery occurs.

I'm working on some strategies to soften that curve a bit, but in the
mean time let's explore these options to get the best performance from
your server and reduce it's load. The we can see if the persistent
server engine will give you even more headroom:

1. I recommend running AVAFTERJM - are you doing this? Typically 80% or
more of email traffic is spam and so there is no good reason to attempt
a virus scan on these messages. If you hold messages and occasionally
re-insert them into the queue then they will not be scanned, however
there are ways to work around this when needed - and it is very likely
you would not re-insert a message that contained a virus anyway.

2. Consider running bind as a dns resolver on your mail server and
pointing the server to itself via the loopback address (127.0.0.1) for
DNS services. This tends to speed up processing significantly which also
reduces the number of message processes that are running at any given
time. YMMV, but I have seen this work consistently to improve
performance.

--- when trying persistent mode (minor adjustments really) ---

A. Set the Persistence value in your snflicid.cfg file to 3600. - no
need to check for a new rulebase every 10 minutes usually. These loop
events tear down the server momentarily which can perturb an otherwise
smooth running system when under heavy loads - thus minimizing the
frequency of these events may help.

B. Set LogFormat in your snflicid.cfg file to SingleLine. This provides
sufficient data for our purposes (most of the time) and should
significantly reduce the size of your log file.

C. Be sure to keep any unnecessary files out of the SNF working
directory - in particular you should clean out any orphaned files that
might still be lurking from previous crashes.

--- General ---

Be sure your drives are regularly defragmented.

Hope this helps,

_M

PS: I just had another random thought really --- Could it be that the
high CPU value was appropriate? If you had built up a queue of messages
to be processed then once the persistent server was put in place and the
system started processing messages again the CP

RE: Re[4]: [sniffer] Still having problems

[Landry William]

This little script can give you a raw hit count per test:

egrep "Clean|Final" c:\path\to\sniffer\sniffer.log | gawk "{print $8}" |
usort | uniq -c | usort

Bill
-Original Message-
From: Kirk Mitchell [mailto:[EMAIL PROTECTED] 
Sent: Saturday, January 08, 2005 11:20 AM
To: sniffer@SortMonster.com
Subject: Re: Re[4]: [sniffer] Still having problems

At 01:50 PM 1/8/2005 -0500, Pete McNeil wrote:
>>>Here's one way
>>>
>>>http://www.sawmill.net/formats/Message_Sniffer.html
>
>KM>   That's the only one I found in the searching I've done. I'll 
>KM> probably give the trial version a shot but can't see paying $139 
>KM> for it. I was hoping maybe someone on the list had developed 
>KM> something, maybe a simple perl script or similar.
>
>I'm sure there are some things around.
>However, I suspect that most folks measure their email server or a 
>higher level AS/AV software's logs (such as Declude, or mxGuard) rather 
>than measuring Message Sniffer directly.
>
>What data do you want to summarize?

  Anything that could give me some hard numbers as to how effective the
filtering is working. # passed clean, # meeting x threshold, etc.


-- 
Kirk Mitchell-General Manager[EMAIL PROTECTED]
Keystone Connect Unlock Your World
Altoona, PA  814-941-5000   http://www.keyconn.net


This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTED] 

Thank you

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[4]: [sniffer] Still having problems

[Kirk Mitchell]

At 01:50 PM 1/8/2005 -0500, Pete McNeil wrote:
>>>Here's one way
>>>
>>>http://www.sawmill.net/formats/Message_Sniffer.html
>
>KM>   That's the only one I found in the searching I've done. I'll probably
>KM> give the trial version a shot but can't see paying $139 for it. I was
>KM> hoping maybe someone on the list had developed something, maybe a simple
>KM> perl script or similar.
>
>I'm sure there are some things around.
>However, I suspect that most folks measure their email server or a
>higher level AS/AV software's logs (such as Declude, or mxGuard)
>rather than measuring Message Sniffer directly.
>
>What data do you want to summarize?

  Anything that could give me some hard numbers as to how effective the
filtering is working. # passed clean, # meeting x threshold, etc.


-- 
Kirk Mitchell-General Manager[EMAIL PROTECTED]
Keystone Connect Unlock Your World
Altoona, PA  814-941-5000   http://www.keyconn.net


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] reporting spam in bulk

[Mike Wiegers]

I use this program to send the messages with. It's setup to use with spamcop
but you can also send to [EMAIL PROTECTED]

http://www.daesoft.com/SpamSource/



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Download server is really slow..

[Hirthe, Alexander]

Hello,

I'm trying at the moment, Wget says 50-90 K/s (started at 40, went quick up
to 90 and now going down to 50K/s)

Alex

This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Download server is really slow..

[George Kulman]

Pete,

I'm downloading right now and its very slow.

George 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Monday, December 20, 2004 6:39 AM
To: Chuck Schick
Subject: Re[4]: [sniffer] Download server is really slow..

On Monday, December 20, 2004, 1:13:52 AM, Chuck wrote:

CS> Pete:

CS> It is Sunday night at 10 minutes after the hour and the download server
is
CS> still very slow - so I am not too sure there is just a run on the
server.

I will check the logs to verify.
_M




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[4]: [sniffer] Few questions

[Marc Hilliker]

Pete,

PM> One other quick note/reminder. Use the snf2check utility on your
PM> downloaded rulebase files before putting them in service. This will
PM> ensure that you have a complete file that is not corrupted.

Yeap..that is exactly what I did when I went back and looked at the files
included in the distro. It gave me the same error which provoked me to
re-download the rulebase.

---
Marc


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Recent SPAM

[Landry William]

-Original Message-
From: Pete McNeil [mailto:[EMAIL PROTECTED]
On Tuesday, November 30, 2004, 1:36:13 PM, Andrew wrote:

CA> Pete, could you recap for us how to set up a "Declude project" to
forward
CA> non-sniffer-detected spam to a custom spamtrap address at SortMonster?
CA> Perhaps two versions, one for normal spamtrap, and one for spam that
meets
CA> our chosen weight yet didn't trigger sniffer?
>
> I know that there are a few systems out there that have experimented
> with this, but I don't have the details on how to do it and they might
> require some very system specific configurations. It would be best if
> someone who has done this could document it for us and then we will be
> pleased to post the instructions on our site for future reference.
> 
CA> I can piece together snippets myself, and I know there's a good spamtrap
CA> writeup on your website, but a cookbook would be timely!
> 
> I agree. Sorry I don't have that information right now.
> 
CA> I've been thinking about this as I've found spam that was triggering the
CA> CMDSPACE test in Declude, but didn't trigger SpamCop or Sniffer (my two
most
CA> reliable and frequently triggered tests).
> 
> This kind of "virtual spam trap" is a very interesting idea. I'm not
> sure that there are any configurations that are mature enough to be
> generalized... but I hope so.
> 
> If I understand you correctly, you are looking for a Declude
> configuration that forwards messages to a spamtrap address if they
> were considered spam by your Declude installation but did not fail a
> specific test - such as SNF.
> 
> There is no direct way to do this, at least not that I am aware of,
> but I know there are a couple people who have been working on it.

If I understand correctly, here is what I do to forward mail that passes my
spam delete threshold but does not fail any sniffer rule group tests (I
recently posted this to the Declude JunkMail list):
==
The first thing you need to do before setting up auto-forwarding of messages
to SortMonster is to ask them to setup a special spam-trap account for you
that you can forward these messages to (they will assign you a specific
e-mail address to use).

In your global.cfg, setup a specific weight test for special handling of
messages over a certain weight:

WEIGHT-SPAMBOX  weight   x x 36 0

In your $declude$.junkmail file, create a new ROUTETO action for this weight
test:

WEIGHT-SPAMBOX  ROUTETO [EMAIL PROTECTED] (this is a local account on your
IMail server)

The configuration of the IMail "spambox" account is as follows:

1. Create the "spambox" e-mail account
2.  Create two inbound filter rules for this account
a. Click "Add" on the "Inbound Rules" tab
i) Select Rule: "If Header Text"
ii) Select "Contains" radial button
III) Search Text: SNIFFER
iv) Check "Match Case"
v) Click "Ok"
vi) Select the "Delete" radial button
b. Click "Add" again on the "Inbound Rules" tab
i) Select Rule: "If Header Text"
ii) Select "Does not Contain" radial button
III) Search Text: SNIFFER
iv) Check "Match Case"
v) Click "Ok"
vi) Select the "Forward" radial button
vii) Enter the special e-mail address SortMonster assigns to you in
the "Address" field
c. Click "Apply"

All messages forwarded to this "spambox" account by Declude JunkMail that
contain the work "SNIFFER" in the headers will be deleted.  All messages
that do not contain a the word "SNIFFER" in the headers will be forwarded to
the special e-mail address assigned to you by SortMonster.
=

> As for sharing spamtraps with us in general, we are shifting in a new
> direction lately. Rather than having systems forward spamtraps to us
> as we have in the past, we now have our robots go and get spamtrap
> data from ordinary pop3 accounts. If you have a spamtrap on your
> system that you would like to share then please let us know the
> server, login, and password, and how the spamtrap was created so that
> we can rate it in our system. Sharing a spamtrap like this can
> accelerate our response to new spam that arrives on your system.

Pete, would you rather that I now drop these e-mails into a local POP
account instead of forwarding them to the special e-mail account you setup
for me?

Bill

---
This message and any included attachments are from Siemens Medical Solutions 
USA, Inc. and are intended only for the addressee(s).  
The information contained herein may include trade secrets or privileged or 
otherwise confidential information.  Unauthorized review, forwarding, printing, 
copying, distributing, or using such information is strictly prohibited and may 
be unlawful.  If you received this message in error, or have reason to believe 
you are not authorized to receive it, please promptly delete this message and 
notify the sender by e-mail with a copy to [EMAIL PROTECTE

RE: Re[4]: [sniffer] New Version 2-3.2 has been officially released.

[John Tolmachoff (Lists)]

> > > Well, still no problems so far so I'll write it up to .  > > solar spots, pick whatever you want>.
> > > It seems it was a one time thing.
> >
> > You must be referring to the RAW law.
> 
> RAW? Random Answer Whatchamacallit?

Random
Acts of
Weirdness

The RAW law, Keyboard Virus and the PEBKAC phenomenon are the 3 most common
reasons for problems.

The PEBKAC phenomenon:
Problem
Exists
Between
Keyboard
And
Chair

SAFTEY DISCLAIMER: The forgoing information is considered entertainment in
nature and is not meant to represent or describe any person living or dead
in the past, present or future. It is meant to create something odd in the
IT Industry, a smile.

Any one else in the US working Thursday and Friday? I am! :s

John Tolmachoff
Engineer/Consultant/Owner
eServices For You



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[4]: [sniffer] New Version 2-3.2 has been officially released.

[Bonno Bloksma]

Hi,

> > Well, still no problems so far so I'll write it up to .  > solar spots, pick whatever you want>.
> > It seems it was a one time thing.
>
> You must be referring to the RAW law.

RAW? Random Answer Whatchamacallit?

> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You

Met vriendelijke groet,

Bonno Bloksma

---
[E-mail scanned at tio.nl for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] New Version 2-3.2 has been officially released.

[John Tolmachoff (Lists)]

> Well, still no problems so far so I'll write it up to .  solar spots, pick whatever you want>.
> It seems it was a one time thing.

You must be referring to the RAW law.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[4]: [sniffer] New Version 2-3.2 has been officially released.

[Bonno Bloksma]

Hi,

[]
> I understand. I have no reasonable explanation for your experience.
> There have been no other reported problems and I have been unable to
> recreate your conditions.
>
> BB> I just once more "installed" the 2.3.2 exe, we'll see what happens. As
it is
> BB> close to 9 PM overhere it should not disrupt any business going on and
let
> BB> me do some testing.
>
> Thanks for your efforts.

Well, still no problems so far so I'll write it up to . .
It seems it was a one time thing.

[]
> One change you should make is to adjust your Declude configuration so
> that your message file name is emitted into your message headers. This
> way when a false positive does occur we can match the message up to
> the log entries and identify the rule or rules that fired.

Did that, so for the next time something like this happens.. ;)

Met vriendelijke groet,

Bonno Bloksma

---
[E-mail scanned at tio.nl for viruses by Declude Virus]


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] LogRotate no longer working?

[Andy Schmidt]

Hi,

A) for what it's worth, I ran:

rename mylicense.log mylicense.log.20041101051900

and the command prompt was able to rename the file WITHOUT problems (I
didn't even stop the IMAIL or Sniffer services. So it appears that nothing
locks the ".log" file.

B) >> Under normal conditions the persistent server will see this file,
delete it, and process the command it represents.  <<

Well - in my case it's 30 MINUTES later and the .rotate file still exists!

>> What version operating system are you using? <<

Windows 2000 Server, Service Pack 4 on a dual-processor Dell machine
Hotfixchecker lists no missing security fixes

>> What does your licenseid.persistent.stat file contain? <<

Hm - interesting - that file does NOT exists.

However, I DID see it exist while I had executed "mylicenseid.exe
persistent" from the command line

>> what is the build information? <<

  build - v2-3.1 Oct 26 2004 22:03:06

Best Regards
Andy Schmidt

Phone:  +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206 



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: Monday, November 01, 2004 12:14 AM
To: Andy Schmidt
Subject: Re[4]: [sniffer] LogRotate no longer working?


On Monday, November 1, 2004, 12:02:30 AM, Andy wrote:

AS> Pete,

AS> - okay, I ran the STOP command - it never ended
AS> - the "persistent" command window never ended
AS> - I finally stopped the SERVICE and the "stop" command ended
AS> - I finally CLOSED the command window to flush the persistent task

AS> Then I saw a whole bunch of sniffer tasks launch in the task window 
AS> - so I assume it was no longer running in persistent mode.  After 
AS> watching this for 2 minutes, I restarted the server.

Ok.

AS> Now I tried against

AS> mylicense.exe rotate

AS> from the command line.
AS> - It DOES return, I see no error message.
AS> - It creates an EMPTY mylicense.ROTATE file !?

That is a signal to the Persistent instance. Under normal conditions the
persistent server will see this file, delete it, and process the command it
represents. When the issuing instance sees the file dissapear - or times out
- then it returns.

AS> - It does NOT rename the active log and continues to use it.

This means that the Persistent instance did not recognize or process the
command. When you issued the command it returned after 30 seconds or so
simply because it had finished waiting - there is a time-out.

What version operating system are you using?

What does your licenseid.persistent.stat file contain?

If you run your sniffer exe from the command line with no parameters what is
the build information?

Thanks,
_M




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Version 2-3.0i8 published.

[Michiel Prins]

What we did was write a wrapper around sniffer, and fire that wrapper from
the Content Filter. that wrapper measures how long each sniffer instance
takes. In the previous version, it took way longer when using the persistent
version than when not using the persistent version. You would expect it to
be the other way around.

I could try the new version tomorrow to see if this one is actually faster,
but if I don't get around to doing it tomorrow, I can't check it anymore,
coz I'm going down under for a month.


Regards,
Michiel

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Pete McNeil
Sent: woensdag 20 oktober 2004 19:50
To: Frank Osako
Subject: Re[4]: [sniffer] Version 2-3.0i8 published.

On Wednesday, October 20, 2004, 12:54:04 PM, Frank wrote:

FO> Hello _M

_>> Systems with heavier loads _should_ see a reduction in their backlog

FO> See a reduction of "what" in their backlog? Can you give an example 
FO> of how to see this type of measurement?

Another good question - I will try to get a solid, detailed answer.
I'm not an MDaemon expert so I'm not sure what the best strategies are for
measuring throughput performance and backlog (inbound/outbound queue
length).

Perhaps there are some MDaemon experts on list that can share their
strategies for making these measurements? In particular, how best to measure
these things when the system in question is not overloaded?

Thanks,
_M




This E-Mail came from the Message Sniffer mailing list. For information and
(un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Version 2-3.0i8 published.

[Keith Johnson]

If we don't run the Mdaemon on our systems and just use the new
download, will we also see a speed increase on processing.  Thanks for
the time.

Keith 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Wednesday, October 20, 2004 1:50 PM
To: Frank Osako
Subject: Re[4]: [sniffer] Version 2-3.0i8 published.

On Wednesday, October 20, 2004, 12:54:04 PM, Frank wrote:

FO> Hello _M

_>> Systems with heavier loads _should_ see a reduction in their backlog

FO> See a reduction of "what" in their backlog? Can you give an example 
FO> of how to see this type of measurement?

Another good question - I will try to get a solid, detailed answer.
I'm not an MDaemon expert so I'm not sure what the best strategies are
for measuring throughput performance and backlog (inbound/outbound queue
length).

Perhaps there are some MDaemon experts on list that can share their
strategies for making these measurements? In particular, how best to
measure these things when the system in question is not overloaded?

Thanks,
_M




This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Surprising missed spam

[Jonathan Hickman]

How does a user go about modifying the custom sniffer rules?  Must Sort
Monster be contacted or is it possible to do this with some other system
(such as a web based interface)?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Pete McNeil
Sent: Tuesday, September 14, 2004 3:28 PM
To: Landry William
Subject: Re[4]: [sniffer] Surprising missed spam


On Tuesday, September 14, 2004, 1:05:29 PM, Landry wrote:


LW> Pete, I started running the new code this morning, and so far, so 
LW> good. I'll let you know if I see anything strange.

Thanks.
_M




This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

Re: Re[4]: [sniffer] Charset

[Scott Fisher]

-Mad,

How set up is Message Sniffer to determine if an e-mail in a foreign
language is spam and then code for it.
I dutifully submit my Spanish spam to the spam at sortmonster.com address.
It's a very, very small percentage of my overall spam, but it consistently
lands in my battleground grey-weight ranges.

I only ask, because I have seen the amount of non-English spam trending
upwards. I've noticed spam here in Russian, German, Spanish, Korean,
Portuguese and Chinese.

- Original Message - 
From: "Pete McNeil" <[EMAIL PROTECTED]>
To: "Michiel Prins" <[EMAIL PROTECTED]>
Sent: Friday, August 20, 2004 7:04 AM
Subject: Re[4]: [sniffer] Charset


> On Friday, August 20, 2004, 2:35:35 AM, Michiel wrote:
>
> MP> Pete, even your message had a chaset header:
>
> MP> Content-Type: text/plain; charset=us-ascii
>
> Yes, a tricky gadget indeed.
>
> MP> I think you'll generate more FP's if you do something like that than
FN's
> MP> you might have now. Aren't there spamassassin config files that detect
this
> MP> spam?
>
> Just to be clear - we're not precisely talking about spam per-se.
> Rather we're talking about stating that all traffic on a particular
> system should be only in one language as a matter of policy...
>
> The distinction is small I suppose, but in my mind important. In
> filtering spam we're usually trying to target only messages that are
> unsolicited commercial email, pornography, or somehow harmful... With
> this other approach instead of trying to defeat what we don't want, we
> are trying to only accept what we do want... Not so much putting up
> blocks, more like putting up a huge block and punching holes.
>
> There are some SA filters that do this kind of thing...
> Ultimately I think it boils down to filtering out anything with a
> charset that is not wanted.
>
> If we achieve this by attrition (rather than attempting to capture all
> of the charsets at once) then we will achieve a strong result quickly
> at a relatively low cost and we might avoid potential false positives
> that are out there.
>
> MHO,
> _M
>
>
>
>
> This E-Mail came from the Message Sniffer mailing list. For information
and (un)subscription instructions go to
http://www.sortmonster.com/MessageSniffer/Help/Help.html
>
>



This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Rule Strengths

[John Tolmachoff (Lists)]

Do you want me to just keep sending them to [EMAIL PROTECTED]

What worries me is even though these are to non-existent users, (yes Sandy,
I have going to use ldap2aliases, I am working on a problem getting a
recipient policy to work on one group that needs 2 sets,) I wonder how much
of this is getting to actual users.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You


> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Wednesday, August 04, 2004 9:04 AM
> To: John Tolmachoff (Lists)
> Cc: [EMAIL PROTECTED]
> Subject: Re[4]: [sniffer] Rule Strengths
> 
> On Tuesday, August 3, 2004, 12:18:43 PM, John wrote:
> 
> JTL> I am still seeing a large amount of this new type of spam getting
through.
> 
> I haven't forgotten you.
> I'm thinking.
> If you have any ideas please let me know.
> Thanks,
> 
> _M
> 
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html


This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

RE: Re[4]: [sniffer] Effectiveness (lately)

[John Tolmachoff (Lists)]

Would the new attached fall under the same rule?

John Tolmachoff
Engineer/Consultant/Owner
eServices For You

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On
> Behalf Of Pete McNeil
> Sent: Thursday, July 29, 2004 9:56 AM
> To: John Tolmachoff (Lists)
> Subject: Re[4]: [sniffer] Effectiveness (lately)
> 
> On Thursday, July 29, 2004, 12:21:53 PM, John wrote:
> 
> JTL> p7ehr11u 20040729151948  D158b005f017cd629.SMD   203 0
> JTL> Clean0   0   0   146136
> 
> JTL> Here is the sniffer log file for the attached message that did not
get
> JTL> caught.
> 
> You may simply not have this rule yet.
> The rule for this particular spam was just coded today:
> 
> New Rule Only Violation
> Rule ID - 155448
> Created - 2004-07-29
> In Account - [EMAIL PROTECTED]
> Logged In As - [EMAIL PROTECTED]
> From Source - .friendlyrxworld.com
> Rule Type - Domain
> Hidden - false
> Blockled - false
> Origin - Spam Trap
> Original Rule Name - overnight pharmacy
> Current Strength - 0.0
> False Reports - 0
> From Users - 0
> 
> 
> Rule belongs to following groups
> [299] Snake Oil
> 
> 
> 
> This E-Mail came from the Message Sniffer mailing list. For information
and
> (un)subscription instructions go to
> http://www.sortmonster.com/MessageSniffer/Help/Help.html
--- Begin Message ---
+ADwAIQ-DOCTYPE HTML PUBLIC +ACI--//W3C//DTD HTML 3.2//EN+ACIAPg-
+ADw-HTML+AD4-
+ADw-HEAD+AD4-
+ADw-META HTTP-EQUIV+AD0AIg-Content-Type+ACI- CONTENT+AD0AIg-text/html+ADs- charset+AD0-utf-7+ACIAPg-


+ADw-META NAME+AD0AIg-Generator+ACI- CONTENT+AD0AIg-MS Exchange Server version 6.0.6556.0+ACIAPg-
+ADw-TITLE+AD4-Re: sharper vision+ADw-/TITLE+AD4-
+ADw-/HEAD+AD4-
+ADw-BODY+AD4-
+ADwAIQ--- Converted from text/plain format --+AD4-

+ADw-P+AD4APA-FONT SIZE+AD0-2+AD4AXw-flsyslogdappliceringerslitigone.+ADw-BR+AD4-
+ADw-BR+AD4-
+ADw-BR+AD4-
p+AGA-h+AH4--arm from e'u-ropean +ACY-amp+ADs- 0v-+AGA-er+AH4-ni+AGAAXw-ght shi+AF4-'ppi,+AGA-ng+ADw-BR+AD4-
+ADw-BR+AD4-
askepottens,+ACY-nbsp+ADs- +ADw-A HREF+AD0AIg-http://www.friendlyrxworld.com+ACIAPg-http://www.friendlyrxworld.com+ADw-/A+AD4APA-BR+AD4-
+ADw-BR+AD4-
+ADw-BR+AD4-
+ADw-BR+AD4-
-Original Message-+ADw-BR+AD4-
From: Oliver Nelson +AFsAPA-A HREF+AD0AIg-mailto:idjdaixhg+AEA-ujptdies.com+ACIAPg-mailto:idjdaixhg+AEA-ujptdies.com+ADw-/A+AD4AXQA8-BR+AD4-
To: edmond cote+ADs- enoch fisk+ADs- brian meadows+ADs- saul lillard+ADw-BR+AD4-
Sent: Wednesday, May, 2004 8:4 AM+ADw-BR+AD4-
Subject: sharper vision+ADw-BR+AD4-
+ADw-BR+AD4-
+ADw-BR+AD4-
oslanjanja heptifili dvalin+ADw-BR+AD4-
Forty four trials compared a broad spectrum usually novel+ACY-nbsp+ADs- lactam with a+ADw-BR+AD4-
+ACY-quot+ADs-routine+ACY-quot+ADs- combination regimen+ACY-nbsp+ADs- Rates of appropriate antibiotic treatment+ADw-BR+AD4-
with combination therapy and monotherapy were similar when reported+ACY-nbsp+ADsAPA-BR+AD4-
I An unconscionable time a-dying - there is the picture (+ACY-quot+ADs-I am afraid,+ADw-BR+AD4-
gentlemen,+ACY-quot+ADs-) of your life and of mine. The sands run out, and the hours are+ADw-BR+AD4-
+ACY-quot+ADs-numbered and imputed,+ACY-quot+ADs- and the days go by+ADs- and when the last of these finds+ADw-BR+AD4-
us, we have been a long time dying, and what else? The very length is+ADw-BR+AD4-
something, if we reach that hour of separation undishonoured+ADs- and to have+ADw-BR+AD4-
lived at all is doubtless (in the soldierly _expression_) to have served.+ADw-BR+AD4-
untosa60timpanizarse02protervia,herejote tozalbo.+ADw-BR+AD4-
+ADw-BR+AD4-
+ADw-BR+AD4-
+ADw-BR+AD4-
+ADw-BR+AD4-
+ADw-/FONT+AD4-
+ADw-/P+AD4-

+ADw-/BODY+AD4-
+ADw-/HTML+AD4 End Message ---